Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gradius85
New Contributor III

IPv6 Link local vs Unique Local for point to point route

I need a small /124 network for routing topology so I can use my IPv6 assigned by my service provider. Since these are Global Unicast addresses, I want to assign them to my servers; however, I need a transient network that is connected to my edge router and the devices down stream, since my IPv6 network is not all Global Public addresses.

 

Due to the latter, does Fortigate distinguish differences (i know some vendors do) for routing between Link Local and unique Local?

1 Solution
emnoc
Esteemed Contributor III

yes you good to go, unique local or site local is what you should use for this. Nobody uses site-local in lew of ULA. If you want to prevent leakages of these, ensure you filter at the internet edge&  if required.

 

Make sure to unique use global id for the ULA if you planning to encompass multiple sites. This will prevent later headaches with duplication of address or if you do the top-half assign the global-id part manually ( is what I do ) or use a generator to make the work easiler. 

 

e.g

 

   https://www.ultratools.com/tools/rangeGenerator

 

or 

 

   https://cd34.com/rfc4193/

 

YMMV but ULA is what you want.

 

And in your drawging I would generate a ULA for site and waste a /64 on each link

 

link1 

fd03:f9b7:256f:0::/64

link2

fd03:f9b7:256f:1::/64

 

link3

fd03:f9b7:256f:2::/64

 

and so on, it's a waste of addresses to use /64,  but who cares it ipv6 and ULAs ;)

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
3 REPLIES 3
emnoc
Esteemed Contributor III

 

I believe you can use unique-local fwiw.That is what it's was designed for.

 

I've never personally use them since we have plenty of ipv6 blocks or assignments. Keep in mind traceroute6 might show weird stuff and you can't leak this to the public ipv6 backbone.

 

So unless it states locally to your org, I say go aheadand use unique-local.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
gradius85
New Contributor III

@emnoc

Hi....Thank you for your conversation on this matter.

 

From what I understand unique Local addresses can be routed within your network; however, Link Local cannot. Due tot he latter, would that not be the best, since I just need a point to point link - which would be a /30 in IPv4 speak?

 

emnoc wrote:
Keep in mind traceroute6 might show weird stuff and
That is OK because and not really worried about it since you see some ISP routing their traffic through RFC1918 blocks, which is doable if you do not NAT. To be honest, not sure if there is a mechanical in IPv6 that automatically stops routing Unique Local addresses externally. But Link Local would never be routed external or even through another hop for that matter. Due to the latter, this is why I was thinking about using it.

emnoc
Esteemed Contributor III

yes you good to go, unique local or site local is what you should use for this. Nobody uses site-local in lew of ULA. If you want to prevent leakages of these, ensure you filter at the internet edge&  if required.

 

Make sure to unique use global id for the ULA if you planning to encompass multiple sites. This will prevent later headaches with duplication of address or if you do the top-half assign the global-id part manually ( is what I do ) or use a generator to make the work easiler. 

 

e.g

 

   https://www.ultratools.com/tools/rangeGenerator

 

or 

 

   https://cd34.com/rfc4193/

 

YMMV but ULA is what you want.

 

And in your drawging I would generate a ULA for site and waste a /64 on each link

 

link1 

fd03:f9b7:256f:0::/64

link2

fd03:f9b7:256f:1::/64

 

link3

fd03:f9b7:256f:2::/64

 

and so on, it's a waste of addresses to use /64,  but who cares it ipv6 and ULAs ;)

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Top Kudoed Authors